Reliability Adds Risk Over Time

Being able to connect devices to other devices has a long list of benefits, many of them related to the digitization of the analog or physical world. That includes all the benefits of being able to quantify, process and analyze information to to relay it in real time all over the globe.

This is what’s at the heart of the Internet of Things/Internet of Everything revolution. It’s also at least some of the motivation for consolidation in the semiconductor industry, and it’s what will propel semiconductor demand forward and upward for years to come.

What’s less clear behind all the hoopla are the intricacies of risk, particularly when that risk is viewed over time. The basic issue is that the electronics industry doesn’t really have much history to fall back on here. No one ever thought 20 years ago that a car would be connected to anything. And in the past, if you kept up a car or a washing machine or even a printing press for 20 or 30 years, no one really paid much attention. You might have to replace some worn out parts, but if you could make it work and you didn’t care about upgrading to the latest and greatest equipment, that didn’t really matter to anyone else.

In a connected world, it’s a different story. Hacking a smart washing machine made today will be child’s play in five years. The people doing the hacking will be more sophisticated, and so will the tools they use to do the hacking. Security is only now being implemented on some devices, in some markets, and at some levels (mostly software, although companies like ARM, Imagination, Intel, Andes and AMD are adding it into processors and processor cores).

While there is much discussion about hardware security, most vendors continue to balk at the price of implementing it. It’s still not an integral part of most chipmakers’ or system vendors’ architectures. And until they are faced with breaches and potential loss of business, they’re unlikely to change anything.

They are, however, focused on quality and reliability. Automotive companies, in particular, have heard the message loud and clear that reliability of electronics is how consumers perceive their brand. They have been on a quest over the past few years to improve quality so that after three years a voice-activated GPS or phone system not only works, but remains relevant with software or firmware upgrades.

That’s good for the car owner. It’s also good for the dealers, because margins are generally higher for used cars than for new cars. And they’re even higher if those cars can be upgraded along the way. The same applies for industrial equipment. While the sticker price is lower after the first sale, the margins are higher over the lifespan of that equipment.

The problem is that adding reliability and longevity into a device increases the vulnerability of everything connected to that device. So a car connected to another car can add risk into the entire network. An old router connected to a home network can provide a rather rudimentary point of entry for data thieves. As many companies have learned with some very public breaches, everything can be hacked, but the usual target is the stuff that hasn’t been secured with the latest techniques and technology.

This completely changes the risk equation. It’s no longer just about securing a device or even a network. It’s about securing everything connected to that device, including some things that have nothing to do with it. Sleeper malware can go undetected for years, maybe even decades, and then used as an entry point for breaching equipment that doesn’t even exist yet.

Obsolescence used to be something that was frowned upon by consumers and businesses. It’s not uncommon to still find old networking equipment humming along in some closet in a large ultra-modern data center, or an old set-top box in a spare bedroom connected to a TV no one watches. But in the future, in the context of shifting security needs and capabilities, that old equipment may be looked upon in a much different light.

Ed Sperling

(all posts)
Ed Sperling is the editor in chief of Semiconductor Engineering.

Jayna Sheats

Which means, to a large extent, that software upgrades must be planned for at the beginning, just as they are for our PCs and phones.

I would argue with one point in your thoughtful essay: the “very public breaches” we have heard about recently rarely, if ever, were caused by lack of technology. They were almost invariably caused by human carelessness, and entirely in the software. They are the equivalent of locking the front door but leaving a large window right next to it wide open.

I suspect that if security were made a priority by IoT device designers, the capability so introduced could be effectively upgraded, but that capability has to be there at the outset and it is currently not. Your analysis does imply that hardware-based security is problematic, unless the magic solution (e.g. one of the PUFs) is already at hand (probably not probable).